Share this story

About 1,500 iPhone and iPad apps contain an HTTPS-crippling vulnerability that makes it easy for attackers to intercept encrypted passwords, bank-account numbers, and other highly sensitive information, according to research released Monday.

"The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates," researchers Simone Bovi and Mauro Gentile wrote in a blog post published in late March. They went on to say that they analyzed one app running AFNetworking 2.5.1 and found alarming results. "We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention!" (Emphasis is theirs.)

According to research published Monday by SourceDNA, about 1,500 iOS apps remain vulnerable to man-in-the-middle attacks that can decrypt HTTPS-encrypted data. To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.

SourceDNA identified vulnerable apps by scanning all free titles and the top 5,000 for-fee titles available for download in Apple's App Store and analyzing the binary code in each one. (In all, about 1 million of the 1.4 million titles in the App Store were analyzed.) This made it possible for researchers to identify apps based on their behavior and the tools and libraries they're made with. The 1,500 vulnerable apps are those that use AFNetworking version 2.5.1, implement HTTPS, and don't implement a measure known as certificate pinning, which ensures that an app uses only a specific certificate for HTTPS authentication and encryption. By default, certificate pinning is turned off in AFNetworking. The 1,500 apps identified don't include those that were fixed after SourceDNA privately reported the vulnerability to developers. App developers who fixed the bug include companies such as Yahoo, Microsoft, and Uber.

For the past four weeks, SourceDNA has kept the list of vulnerable apps private to prevent real-world attacks. The company has now unveiled a search tool that lets end users check if specific apps they use are vulnerable. The tool will be updated regularly to remove apps that are fixed and add apps that become vulnerable. SourceDNA also offers a service that provides a comprehensive inventory of commercial and open-source code used in specific apps, along with an alert service that will notify users if vulnerabilities are found in any of them.

iOS users should spend a few minutes to check if any of the apps they use are among those found to be vulnerable. Readers are invited to report their findings in the comments section of this post.

Listing image by Jorge Quinteros. Article updated to correct details in the fifth paragraph about scanning methodology. Only the top 5,000 for-fee apps were tested.

Promoted Comments

So does this mean that merely having one of these apps on my device has crippled https on my entire ipad? Or just the secure portions of that one app?

Yes, a little miffed at the author for not getting more in-depth information.

We need to know:Does this flaw only affect the system when the flawed app is in use?Does this flaw affect the system anytime the app is installed?

These are very important questions that also speak to the severity of the flaw.

The flaw doesn't impact the system at all, it only impacts apps using the third-party framework AFNetworking (not by Apple, not distributed with the iOS SDK), and only ones using specific versions of the framework.

Since it only impact(ed) specific apps, clearly it'll only potentially impact you when you're using those apps.

If you installed CandyMountainClansWarFREE, and it's vulnerable... then you're at risk when you're using that app. You're not at risk using Safari.

It would be nice if they also provided a straight up list of apps by name. I don't have all that many apps, but doing individuals searches by developer (I'm honestly not even sure where, besides on iTunes on my computer, or individually on the App Store, I can quickly look up the developer of each app), rather than app name, seems like a rather laborious process.

This was intentional. Our goal was to make it easy for a developer (or dedicated user) to look up apps that are important to them without disclosing the entire list to the world. It takes developers time to fix their apps, and we're hoping this encourages the remaining ones to do so quickly.

BTW, we found ~1k apps vulnerable on April 1 and then the number went up to ~1.5k by April 18. The theory is that developers just aren't aware of this issue and don't know that they pulled from the AFNetworking tree when it was vulnerable. This is fascinating because it's so different than the desktop world (vulnerable population usually goes down over time).

Yes, the vendor did issue a fix for this issue back on March 26, and we found ~1k apps vulnerable on April 1. Then the number went up to ~1.5k when we just re-scanned April 18. The theory is that developers just aren't aware of this issue and don't know that they pulled from the AFNetworking tree when it was vulnerable. That's why I think this is still relevant -- developers don't know about this flaw because it's been so long since the patch was released and they're still releasing vulnerable updates to their apps.